Bug#646769: marked as done (phpldapadmin: cross-site scripting vulnerability)

[Debian Bug Tracking System]

Your message dated Fri, 28 Oct 2011 21:04:41 +0000
with message-id <e1rjtbv-0005ki...@franck.debian.org>
and subject line Bug#646769: fixed in phpldapadmin 1.2.0.5-2.1
has caused the Debian Bug report #646769,
regarding phpldapadmin: cross-site scripting vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
646769: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646769
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: phpldapadmin
Severity: serious
Justification: security vulnerability
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for phpldapadmin.

CVE-2011-4074[0]:
| Input appended to the URL in cmd.php (when "cmd" is set to "_debug")
| is not properly sanitised before being returned to the user. This can be
| exploited to execute arbitrary HTML and script code in a user's browser
| session in context of an affected site.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4074
    http://security-tracker.debian.org/tracker/CVE-2011-4074

-- 
Jonathan Wiltshire                                      j...@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

--- End Message ---

--- Begin Message ---

Source: phpldapadmin
Source-Version: 1.2.0.5-2.1

We believe that the bug you reported is fixed in the latest version of
phpldapadmin, which is due to be installed in the Debian FTP archive:

phpldapadmin_1.2.0.5-2.1.diff.gz
  to main/p/phpldapadmin/phpldapadmin_1.2.0.5-2.1.diff.gz
phpldapadmin_1.2.0.5-2.1.dsc
  to main/p/phpldapadmin/phpldapadmin_1.2.0.5-2.1.dsc
phpldapadmin_1.2.0.5-2.1_all.deb
  to main/p/phpldapadmin/phpldapadmin_1.2.0.5-2.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 646...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <j...@debian.org> (supplier of updated phpldapadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 27 Oct 2011 17:51:24 +0100
Source: phpldapadmin
Binary: phpldapadmin
Architecture: source all
Version: 1.2.0.5-2.1
Distribution: unstable
Urgency: high
Maintainer: Fabio Tranchitella <kob...@debian.org>
Changed-By: Jonathan Wiltshire <j...@debian.org>
Description: 
 phpldapadmin - web based interface for administering LDAP servers
Closes: 646754 646769
Changes: 
 phpldapadmin (1.2.0.5-2.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * CVE-2011-4074 Fix XSS vulnerability in debug code (Closes: #646769)
   * CVE-2011-4075 Fix arbitrary code execution by unauthenticated users
     (Closes: #646754)
Checksums-Sha1: 
 f6d86b56229db00e7c48fd3621ebd3e4d4fb932d 1723 phpldapadmin_1.2.0.5-2.1.dsc
 49c219b7126dd9357c226bf35ffac7020727d84c 25005 phpldapadmin_1.2.0.5-2.1.diff.gz
 b263c5ed27354e920b2e4e84f5adc18f360358d8 1266724 
phpldapadmin_1.2.0.5-2.1_all.deb
Checksums-Sha256: 
 de160987eb6ae9fb927075446ce7a08f0f39c6d7385f61f8ba1567c61ea6ea34 1723 
phpldapadmin_1.2.0.5-2.1.dsc
 a1c6dbc7842df92ddc54fc30ce13c3042e7dbcb8bdab1f7bb61de87a0ac91a15 25005 
phpldapadmin_1.2.0.5-2.1.diff.gz
 18f70e2a3847ef1729043a71e1aed338d7788ba96212f1d2285ef39145c1d61f 1266724 
phpldapadmin_1.2.0.5-2.1_all.deb
Files: 
 42f745fe3da0af28a60f3a165c2627ce 1723 admin extra phpldapadmin_1.2.0.5-2.1.dsc
 c8df93849f4cd3923f5c5596c9ac76e5 25005 admin extra 
phpldapadmin_1.2.0.5-2.1.diff.gz
 d88f1c1ca798855c9ab42ecfced4a6ae 1266724 admin extra 
phpldapadmin_1.2.0.5-2.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJOqbcxAAoJEFOUR53TUkxR9tEP/A6OBh7FLA1FQ9XjKwe3i17N
Y9+CipzUWZV1CExTyDlLDhnhQedYub4bvP6TXPV/dnQyDVQfB7D6CLeW6s5m3BnS
M/x6LtWMRJJ56ODlYvmm5Ydj9D8sTkwrGV/+KhBBa8fqXNn3cansAgIzLfAo/W18
BGhdkwtTO1Da6j1Y/O4DIkLaOz6WMuPd6y8UYTehgCrvmpa6spKxJ1irEpLR48dl
lvnqp5SJt5o+/1/vNqYNvjOvUdnAYKP8sFp/aWF8Lx7qutQ2j6/wsWO0RyptkQJw
1qTREIFLqSOue5uEf87kiG7KvyV/JW+HtJUbKS9E7gD63C2nr3JkTjGrj82ecaUO
t9UnM75Bnbve1JLr8evxSeRoGzOzcIYwoa/Qv26gl79VdYK55rhkGEs7u2VkfDhY
fp6NKI703CmE2Ak3VgV8Vb1XxiWXMdyUoa3Bbxn+pfuoq6O0wWe8e7SjN0HK+IFq
zXYPM9CHvCigrtWaTCCGsNzfzrPwlsikBWvOjMnl1qlimixqn/+85QUXq+nJIFPQ
7+CSGaJtvo1Ws4/NwyH5FGwBNqkifHREhrL0DSraJ6RP+QXxv8GiczlERzdm8b+m
yrIYC7VpQgdon1Ucg474lZ8nHjQIRB+eMxV5yRyf4f2rGk3hvsSLTvXFF30mTXFn
h+/+MMPFoVrJo6kmwaO/
=zoVM
-----END PGP SIGNATURE-----

--- End Message ---